How to control access to AWS using a terminal

October 19th, 2017   /     /   product and technology, developer

So you’ve got a team of developers working on projects that run on Amazon Web Services (AWS) and they all need programmatic access to various AWS resources.

How do you grant AWS access to these developers? Well, if you know AWS then you will know they need AWS access credentials. This gives them the ability to access the resources they require and it’s fairly easy to set up.

But what happens when your developers are accessing multiple different AWS accounts and have different access levels or roles in each of those accounts? You can start issuing AWS credentials for each developer under each account and for each role but that is quickly going to turn into a massive management headache that you know you don’t have time for.

So what can you do? Well OneLogin has a nifty new command line tool that solves all of these issues for you. We call it OneLogin AWS CLI Assume Role.

The OneLogin AWS CLI tool saves both AWS administration time and improves developer productivity by letting you manage user access via your OneLogin portal and issuing temporary AWS credentials via a simple command line interface.

Better yet, it means that you will never have to manually issue multiple AWS credentials for your developers ever again.

Here’s what it looks like for a developer that needs to login to AWS to access an app. Notice how they can specify their AWS app, region, and role, along with their OneLogin instance — all from the command line interface.

It also automatically supports Multi Factor Authentication (MFA) by conveniently prompting for a token if one is required. This is incredibly important because AWS developer accounts are privileged and should be protected with MFA.

How do I get it?

We have a detailed help doc that takes you through the steps required to get this up and running. But in brief, this is how it works:

  1. You setup an AWS Multi Account app in your OneLogin account. Note that you still need to use the Multi Account app even if you only have one AWS account.
  2. You issue a set of Authentication Only level OneLogin API credentials and issue these to all your developers.
  3. Your developers download the OneLogin AWS CLI binary from our Github repository and configure it with the API credentials you provided.
  4. Each developer executes the binary from the command line and is prompted for their OneLogin username, password, and MFA token if you have that enabled.
  5. Once the developer is authenticated, they are prompted with a list of available AWS accounts and roles that they can access. They select one and are magically presented with the appropriate AWS credentials.

If you’re feeling the pain of managing access to multiple accounts, with multiple roles for multiple people then this new CLI tool will change your life. Give it a try now!

About the Author

Rich Chetwynd founded Litmos, the market-leading learning technology company, as well as ThisData, a data security company leading the way in Account Takeover (ATO) attack detection. After ThisData was acquired by OneLogin in Summer 2017, Rich began working with the OneLogin engineering team with a focus on adaptive authentication.

View all posts by Richard Chetwynd